DarkSide’s most high-profile hacking operation may prove to be its last: in early May, the group launched a ransomware attack against the Colonial Pipeline Company, which provides as much as half the fuel supply for the East Coast of the United States. As the effects of the hack mounted, the company shut down the pipeline, and that led to a spike in the price of gasoline, as well as days of widespread fuel shortages. President Joe Biden declared a state of emergency. DarkSide reportedly walked away with a five-million-dollar ransom, but receiving the payout appears to have come at a cost. On May 14th, DarkSide’s site went down, and the group said that it has lost access to many of its communication and payment tools—as a result of either retaliation from the U.S. or a decision by the members who fund the organization to pull the plug themselves.
DarkSide is a so-called ransomware-as-a-service enterprise, meaning that it does not actually perform the labor of carrying out cyberattacks. Instead, it provides affiliated hackers with a range of services, from handling negotiations to processing payments. It had a blog and a user-friendly interface for hackers to upload and publish stolen information. When DarkSide débuted on Russian-language cybercrime forums, last August, its launch announcement sounded like a tech entrepreneur’s pitch deck. “We created DarkSide because we didn’t find the perfect product for us,” it read. “Now we have it.” It set out a sliding fee scale, ranging from twenty-five per cent of ransoms worth less than half a million dollars to ten per cent of those worth five million or more.
Ransomware as a service, like the modern tech economy as a whole, has evolved to account for a high degree of specialization, with each participant in the marketplace providing discrete skills. An operation such as DarkSide’s attack against Colonial Pipeline begins with an individual or team of hackers known as “individual access brokers,” who penetrate a target company’s network. From that point, another hacker moves laterally to the domain controller, the server in charge of security and user access, and installs the ransomware code there. (DarkSide, among its many services, has offered its own brand of malware for locking and extracting data.) Once a victim’s servers have been breached and its computer systems frozen, the hackers hand things over to the operators of a ransomware-as-a-service outfit, who manage everything else, including determining a ransom value, communicating with victim organizations, and arranging the particulars of payment. “That’s the stuff you, as a hacker, don’t want to deal with,” Mark Arena, the C.E.O. of Intel 471, a private cyberintelligence firm, said. “You don’t have the patience or the social skills.”
On May 10th, Biden said U.S. intelligence believes that DarkSide is located in Russia, even if there is “no evidence” that links it to the Russian state. Like many revenue streams in the cybercrime underworld, ransomware as a service is largely, though not entirely, dominated by Russian-speaking hackers with roots in Russia and other former Soviet states. (There are plenty of exceptions, such as North Korea’s state-run hacking teams, who specialize in online bank theft.)
The reasons for this situation go back to the collapse of the Soviet Union, in the nineteen-nineties, when highly competent engineers, programmers, and technicians were suddenly left adrift. Decades later, the story hasn’t changed much: younger generations of Russians have access to specialized educations in physics, computer science, and mathematics, but have few outlets to realize those talents, at least not for the kinds of salaries available to programmers in, say, Silicon Valley. “And what do they see when they go online? That it’s possible with their knowledge and skills to earn millions of dollars, just like that,” Sergey Golovanov, the chief security expert at Kaspersky Lab, a cybersecurity company based in Moscow, said. “A certain percentage of these people decide it’s worth breaking the law.”
Such a career can look all the more attractive given that the risks seem rather small, at least if you focus on Western targets. Although Russian law-enforcement bodies periodically mount operations aimed at domestic cybercriminals, they generally turn a blind eye to those who use Russia as a base for infiltrating foreign networks. That is partly a function of legal jurisdiction and investigative wherewithal. If there’s no victim on Russian territory who can show up in person to file a police report and offer evidence for a criminal trial, then there isn’t much for the authorities to pursue. “Even if Russia law enforcement was so inclined, there would be nothing to investigate,” Alexey Lukatsky, a noted cybersecurity consultant in Moscow, said.
To insure that they don’t run into trouble on their home turf, most ransomware-as-a-service sites prohibit the targeting of companies or institutions in Russia or within the territory of the former Soviet Union. “Hackers have a rule: don’t work on the .ru domain,” Golovanov said. In DarkSide’s case, part of its malware code scanned for languages installed on the target workstation; if it detected Russian or another language common to post-Soviet countries, it did not deploy, and erased itself from the machine.
But there is also one further, very important reason why cybercriminals may feel relatively free to operate from inside of Russia. Russia’s security services are tempted to see hackers who target Western corporations, governments, and individuals less as a threat than as a resource. In 2014, the F.B.I. indicted a Russian hacker named Evgeniy Bogachev on charges of allegedly stealing hundreds of millions of dollars from bank accounts across the globe; American prosecutors asked their Russian counterparts for coöperation. Rather than arrest Bogachev, however, Russian authorities used his breaches to hunt for files and e-mails on devices belonging to government employees and contractors in the United States, Georgia, and Turkey. As the Times wrote, the Russian state was, in effect, “grafting an intelligence operation onto a far-reaching cybercriminal scheme, sparing themselves the hard work of hacking into the computers themselves.”
In a 2012 policy paper titled “Beyond Attribution,” Jason Healey, the director of the Cyber Statecraft Initiative at the Atlantic Council, proposed assessing state responsibility in hacking attacks on a continuum ranging from “state-prohibited” to “state-integrated.” It is unclear exactly where the DarkSide attack against Colonial Pipeline falls on that line, or what Biden meant when he said that Russia “bears some responsibility to deal with this.” So far, the publicly available evidence suggests a categorization, in Healey’s taxonomy, of “state-ignored,” in which a “national government knows about the third-party attacks but, as a matter of policy, is unwilling to take any official action.”
For its part, the Kremlin has rejected any suggestion that it carries some blame for not doing more to rein in the activities of groups like DarkSide. “Russia has nothing to do with this,” Vladimir Putin’s spokesman, Dmitry Peskov, said. But accusations of Russian involvement in major hacking operations have, at this point, become commonplace. Just a month ago, Biden sanctioned Russia for the SolarWinds breach, in which at least nine separate federal agencies and a hundred private companies had their networks compromised by Russian intelligence services. “In Russia, we are used to allegations that we hack everyone and everything,” Lukatsky told me wryly.
Meanwhile, the Russian-language cybercrime forums that historically functioned as a marketplace for DarkSide have banned the group from their portals. The word ‘ransom’ “has become dangerous and toxic,” one administrator wrote, noting that the last thing Russian criminal hackers and their associates want is to create problems for the Kremlin. “Peskov is forced to make excuses in front of our overseas ‘friends’—this is nonsense and a sign things have gone too far.”
But no one expects the practice to go away. A number of the largest ransomware-as-a-service outfits announced that they will move to operate in “private” mode, ceasing to advertise on the dark Web and accepting only affiliate hackers whom they know and trust. They have also said that they will take a more active role in vetting and approving targets ahead of time. As for DarkSide itself, it will likely regroup and rebrand as a new product—a very tech-world sort of recovery from a public flameout. “Such people don’t remain out of work forever,” Dmitry Volkov, the chief technology officer of Group-IB, a Moscow cybersecurity company, said.
